Who is the Data Controller and what are its responsibilities under the GDPR?

The Data Controller (“DC”) is the one who, alone or jointly, determines the purpose and means of the processing of personal data; in other words, is the one who decides why other’s personal data is processed and how it would be processed; therefore, is regulated under the GDPR and it is abided by its rules.

Useful? Embed this infographic on your website.

In that order of ideas, if you are a DC or you are preparing to advice one, it is necessary to first identify its responsibilities under the GDPR. Each Data Controller has the following responsibilities

GENERAL RESPONSIBILITIES:

Comply with the GDPR
Comply with all the rules set on the GDPR; the DC is required to implement appropriate technical and organisational measures which ensure Data Protection by Design and by Default, which shall be reviewed and updated as necessary.

Demonstrate Compliance with the GDPR
Prove compliance. For that, the DC shall implement data protection policies or adhere to approved codes of conduct or approved certification mechanism. In any case, it is necessary for the DC to count with documentation that proves that the measures to comply with the GDPR are in place, are effective and are reviewed and updated as necessary.

Data Processor (DP)
If needed, the DC should use only DP providing sufficient guarantees in the implementation of technical and organisational measures as required by the GDPR, and the relationship shall be recorded in a written contract.

Records of Processing Activities
This is an internal document that demonstrates how and why personal data is being processed. Unless exempted in line with Art. 30 (5) GDPR, it is under the DC responsibility to maintain this document and record on it the information required in art. 30 (1) GDPR.

Cooperation with the Supervisory Authority
The DC must cooperate with the Supervisory Authority with the performance of its tasks (Art. 57 GDPR).

Additionally:

For DC established outside the EU
Unless exempted as stated in Art. 27 (2) GDPR, the DC shall designate in writing a representative in the EU to be addressed in all the issues related to the processing for compliance purposes with the GDPR.

For Joint Controllers
Unless determine by Union or Member State law, the joint controllers shall in a transparent manner determine their respective responsibilities by means of an arrangement, the essence of it shall be available to the data subjects. Also, shall designate a point of contact for the data subjects.

PARTICULAR RESPONSIBILITIES:

Security of Processing
DC must guarantee the security of processing personal data. In that sense, the DC must take into account the points set in the GDPR when implementing technical and organisational measures that ensure a level of security appropriate to the risk.

Notification of Personal Data Breach (“Data Breach”) to the Supervisory Authority (“SA”)
In case a data breach occurs, the DC has the legal duty to notify the SA within the next 72 hours after has become aware of it; unless the breach does not risk the rights and freedoms of the natural person. Now, regardless of the need to notify, the DC must keep all data breaches document, safely kept and available for the SA.

Communication of Personal Data Breach to the Data Subject
Unless exempted in line with art. 34 (3) GDPR, when the data breach is likely to result in a high risk to rights and freedoms of a natural person, the DC must notify the data subject without undue delay. The notification must be clear and plain language, stating what happened and the measures are taken to remedy the situation.

Data Protection Impact Assessment (DPIA)
Unless exempted by Art. 35(5) and (10) GDPR, prior any processing and in consultation with the Data Protection Officer (“DPO”), the DC must carry out a DPIA when the processing is likely to result in high risk to the rights and freedoms of natural persons, or in compliance with approved codes of conduct, or when seeking the view of data subjects.

Prior Consultation
If the results of a DPIA shows that the processing will result in high risk in the absence of measures by DC to mitigate the risk. DC has the legal duty to consult the SA before the processing. Important to note that is a duty of consultation; however, Member State law can also require prior authorisation.

Designation and Position of a Data Protection Officer (DPO)
The DC must appoint a DPO and involve him/her properly and in a timely manner in all issues related to processing personal data when it processes personal data on a large scale that require regular and systematic monitoring of data subjects or is a special category of data or data related to criminal convictions or offences. Also, this duty applies to public authorities or bodies- except for courts acting in their judicial capacity.

KEY POINTS TO KEEP IN MIND:

Some of the duties of a DC are also duties of a DP.

A DC can also act as a DP concerning the same data. In those scenarios, you should distinguish when it acts as DC and when as a DP to assign the responsibilities correctly. See:

Regarding liability, the data subject can hold liable any of the actors involved in the processing of his/her personal data either DC(s) and/or DP(s) and for the entire damage.

The imposition of fines shall in each case be effective, proportionate and dissuasive. The GDPR impose different penalties in accordance with the breach. For instance, a fine up to 10,000 000 EUR or up to 2% of the total worldwide annual turnover preceding financial year when the DPO appointed by DC does not fulfil its tasks.

Do you have further questions regarding who is Data Controller and its duties? Do not hesitate to leave a comment or write to me at jessica@talacka.com, to arrange a meeting.

Imagine, for instance, a service provider of an Investment Fund which collects and process the personal data of the Fund’s investors on behalf of the Fund (as Data Processor), and also process the same personal data to fulfil its legal obligations for AML, FATCA and CRS (as Data Controller). I wrote an article and did an infographic about this topic, check: https://www.talacka.com/dual-role-gdpr/